Isaca Updated CRISC Exam Questions and Answers by harri

Risk transferinvolves shifting the responsibility for managing specific risks to a third party. By outsourcing the security function, the organization transfers the associated risk to a vendor specializing in security management.

Changes deployed to production are those that affect the functionality, performance, or security of the system in a way that is visible or accessible to the end users1. These changes can introduce new risks or vulnerabilities, such as errors, bugs, compatibility issues, or unauthorized access2. Therefore, it is important to monitor the risk associated with these changes and measure how often they cause incidents in production.

One metric that can be used to monitor this risk is the percentage of changes that cause incidents in production. This metric indicates how effective the change management process is and how well the organization can prevent or mitigate potential problems caused by changes3. A high percentage of incidents indicates a high level of risk and a need for improvement in the change management process.

References = IT Change Management for SOC: Process and Best Practices, Determining and Managing Risk when Deploying Code, 6 Deployment Risks and How To Mitigate Them

According to the CRISC Review Manual1, the risk register is a tool that records the results of risk identification, analysis, evaluation, and treatment. It should be updated whenever there is a change in the risk profile, such as when a vulnerability is closed or a new threat is identified. Updating the risk register allows the organization to monitor the current status of risks and the effectiveness of risk responses. Therefore, the next course of action after implementing changes to close an identifiedvulnerability is to update the risk register with the new information. References = CRISC Review Manual1, page 191.

Pre-production compatibility testing ensures patches won’t break applications or services, protecting availability—a key control objective outlined in ISACA’s guidance on Change and Configuration Management.